I'm testing OpenID authentication using python-openid on webpy's development web server. Through Yahoo! and myOpenID, I keep getting a failure response with the message Server denied check_authentication. The strange part is, I also receive the correct openid.identity
.
The same type of authentication works fine with Google (@ https://www.google.com/accounts/o8/ud...). On one hand, that gives me confidence that I'm doing something right, but on the other hand, the inconsistency confuses me.
return_to
& trust_root
are both localhost:8080, which may have something to do with it.
Here's the code I use to send the user to Yahoo! to authenticate:
def POST(self):
post_data = web.input()
if post_data.has_key('openid_identifier'):
openid_identifier = post_data.get('openid_identifier')
c = Consumer(session, openid.store.memstore.MemoryStore())
auth = c.begin(openid_identifier)
auth_url = auth.redirectURL('http://localhost:8080', return_to='http://localhost:8080/authenticate')
raise web.seeother(auth_url)
return post_data
auth_url
in this case is set to (formatted for easy reading):
https://open.login.yahooapis.com/openid/op/auth?
openid.assoc_handle=cYSO3wJSjQa3ewmRpaQz3YodzqjosP1ta.4TVzumqlLpAFM7oWci6K9bMKG4uuqZ.5m.fY7Wp8BWfQ1eR_soHWpJ6gCsKtxi_7Bqi22T5RUcMIuQBVjpGFSjc_kRY2k-&
openid.claimed_id=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&
openid.identity=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0%2Fidentifier_select&
openid.mode=checkid_setup&
openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=http%3A%2F%2Flocalhost%3A8080&
openid.return_to=http%3A%2F%2Flocalhost%3A8080%2Fauthenticate%3Fjanrain_nonce%3D2010-10-08T02%253A56%253A04ZrxAI
Here's what the handler looks like at the return URL:
def GET(self):
data = web.input()
c = Consumer(session, openid.store.memstore.MemoryStore())
result = c.complete(dict(data), current_url='http://localhost:8080/authenticate')
if result.status == SUCCESS:
openid_identity = data.get('openid.identity')
...
render = web.template.render('templates/', base='layout')
return render.error(...)
result
gets set to <openid.consumer.consumer.FailureResponse id=None message='Server denied check_authentication'>
, and data
(the query parameters on the return) are set like this:
<Storage {'openid.op_endpoint': u'https://open.login.yahooapis.com/openid/op/auth',
'openid.sig': u'yCHffpHs2Whtw9p1gPzC+ToQJ0k=',
'openid.ns': u'http://specs.openid.net/auth/2.0',
'janrain_nonce': u'2010-10-08T02:56:04ZrxAIWh',
'openid.return_to': u'http://localhost:8080/authenticate?janrain_nonce=2010-10-08T02%3A56%3A04ZrxAIWh',
'openid.pape.auth_level.nist': u'0',
'openid.claimed_id': u'https://me.yahoo.com/a/d3eEQZAWydfmtDwaGB2vBEVU4vIMLsez#1ac56',
'openid.mode': u'id_res',
'openid.realm': u'http://localhost:8080',
'openid.response_nonce': u'2010-10-08T02:55:52ZRLNmEd7aWiaGWjHfhqEQs2Fxj3.nXdwciA--',
'openid.signed': u'assoc_handle,claimed_id,identity,mode,ns,op_endpoint,response_nonce,return_to,signed,pape.auth_level.nist',
'openid.identity': u'https://me.yahoo.com/a/d3eEQZAWydfmtDwaGB2vBEVU4vIMLsez',
'openid.assoc_handle': u'cYSO3wJSjQa3ewmRpaQz3YodzqjosP1ta.4TVzumqlLpAFM7oWci6K9bMKG4uuqZ.5m.fY7Wp8BWfQ1eR_soHWpJ6gCsKtxi_7Bqi22T5RUcMIuQBVjpGFSjc_kRY2k-'}>
That sure doesn't look like a failure response to me. Notice that openid.identity
is set. And yes, that is my OpenID identity on Yahoo!.
I'm not sure where to take this from here. Any words of advice?
check_authentication
shouldn't even be attempted. I must using the python-openid API incorrectly, but I can't figure out how. – Mike M. Lindjango-openid-auth
anddjango-openid-consumer
? The contain debugged examples on how to handle OpenID requests. – André Caron